DNSSEC for dns.he.net - help?
Hi all,
I moved my domains to dns.he.net ; when changing the authoritative nameserver to HE, my registrar warned me that I'd have to set up DNSSEC myself if I did not use their own servers.
That was what I had planned on doing anyway, if with 'doing it yourself' they mean 'configure the things over at dns.he.net'.
I remembered seeing references to DNSSEC on HE's website, and was not too concerned. Now that I dug into the matter, it turns out that half of their forum is about lack of DNSSEC, accumulated in threads over the past 15 years. In the mean time it is supposed to more or less be available, via a slave domain or when using HE as secondary DNS. When searching the net how to do that, one of the top results was...
@vyas said:
What is the advantage of using he.net dns over other “free” providers?
.... supports DNSSEC (pre-keyed) ...
The pre-keyed bit, does that mean that I need my registrar to sign the domain, and after that I make the signature available at HE via the slave option?
At the moment I configured all domains under 'Zone Management'. I had a look at 'new domain'/'new slave', but I am not well-versed enough in DNS to know which one to enter where.
Does this mean that I'll have to ask my registrar to rewind the change of authoritative nameserver, and keep managing the domains at the registrar?
I hope I got the terms right and that the story is clear enough to get the context. Possibly a (for me) complicating factor to deal with later is that a handful of domains is registered at this registrar that has its DNSSEC in order (also according to dnsviz.net), but some other domains are at various registrars that couldn't be bothered.
Could you offer some guidance?
Comments
Signing is done at the primary DNS (which might be the registrar, but not necessarily). Some services might have a nice interface, but if you're managing your own primary DNS then doing it in a shell goes something like this:
/usr/sbin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/pki/dnssec-keys -n ZONE $ZONE
/usr/sbin/dnssec-keygen -a NSEC3RSASHA1 -b 2048 -K /etc/pki/dnssec-keys -n ZONE -I ${INADATE} -D ${DELDATE} $ZONE
, passing the validity dates for the keys.SALT=$(tr -cd '[:xdigit:]' </dev/urandom | fold -w 16 | head -1); /usr/sbin/dnssec-signzone -3 $SALT -A -S -K /etc/pki/dnssec-keys -N KEEP -o $ZONE -t /var/named/data/$ZONE.zone
HE is like a "transparent slave", i.e. it just pulls the zone data that was already signed at the primary DNS and serves it as-is. So if your signing has worked on the primary, it should work on HE.
The KSK is done occasionally, but the ZSK process should be repeated regularly in order to rotate keys. You can have a "next key" queued that becomes active just before the current one expires. This can be automated by a cron job. I manage my own primary, but the provider of your primary DNS might take care of this process for you, and if so they should be telling you what to put for the DS records at the registrar.
Hi tetech,
Thank you so much for taking the time to spell it all out!
I once had a go at running DNS for a single domain, which resulted (even without DNSSEC) in looong outages of the domain itself as well as some annoyance at home (setting my test installation as resolver for the family). Now that I can afford some VPSs, I could have another go at it ;-)
Anyway: if I like to have DNSSEC for my domains, I will have to bother my registrar in every case, because I asked them to set HE as the authoritative resolver, correct?
For the short term, I'll revert to having the authoritative nameserver this bunch of domains at the registrar. I'm sure they'll be looking forward to another ticket around Christmas :-P
Once again, thank you for your trouble! Running my own DNS is not off the list yet, most probably I'll post here again once I get stuck configuring it.
What I would suggest is to run a "hidden master". This means in the registrar, the nameservers are set to the public DNS service (e.g. HE) but then HE pulls from your "private" DNS server. What I would do is use two DNS services (HE + another one) which both pull from your hidden master and use one each of their nameservers in the registrar.
This has the plus of a better network (e.g. anycast) and you don't have to ensure your private DNS stays up. Down side is you still have to maintain the master which usually means no GUI (firewall it).
Typically there is no "bothering". So if I take an example with namesilo (where the "DNS records" already point to HE), when you manage your domain you see a link to DS records like this:
When you click this link, you can add DS records yourself:
What to enter here is given by your KSK command, e.g.
ZONE=example.com; /usr/sbin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/pki/dnssec-keys -n ZONE $ZONE
creates a key, and then you can get the DS info from that key file:/usr/sbin/dnssec-dsfromkey /etc/pki/dnssec-keys/Kexample.com.+007+53233.private
, example output:This shows that the key tag is 53233, the algorithm is 7 (RSASHA1-NSEC3-SHA1) and the digest type is 2 (SHA-256). The string at the end goes in the "Digest" field.
This has now told the registrar that the domain is set up for DNSSEC, i.e. DS records will be returned indicating that the domain records (RRs) are supposed to be signed. It didn't require any intervention or contact with the registrar. Needing a ticket for any of this stuff would be extremely unusual.
If you want to stop using DNSSEC, you just remove the DS records (and of course stop signing at the primary DNS).
By the way, I stopped using DNSSEC for most of my domains. At the risk of starting an ideological dispute, it doesn't add that much and for me the key thing is that dynamic signing is practically difficult. For example, if I do GeoDNS where I direct proxy.example.com to the geographically nearest available server, this means the A record changes dynamically and static signing (i.e. pre-signing it at a hidden master) doesn't work. The signing needs to be handled at the public resolver, which is perfectly doable but rules out basically every free service (like HE) and means you need to distribute the signing key to the resolvers rather than having it tucked securely away. I still use DNSSEC for domains that are static (with records that only change infrequently).
Hi tetech,
Thanks once more!
I think I understand the 'hidden master' concept. That one I would run myself, either at home or an a VPS (or dedi/colo/.. whatever the budget can pay). Having HE's slave and a secondary DNS (maybe one I run myself as well, or another service) point there I can also follow.
From there on it gets muddy. I throw it all out, and hope it makes sense:
Sorry to come across as totally clueless. I have some rudimentary image in place, but details only for the most straightforward basics.
Correct, but a VPS or home is enough for a hidden master, definitely nothing more serious is needed unless you are dealing with thousands of domains.
At least one of the NS records at the registrar needs to point to a HE nameserver. It is not required for more than one to point to HE.
It is flexible how you distribute it. I typically use 2x HE and 2x something else. You could do more NS and distribute them differently if you want. The point of having two providers is if one goes down then things should still work.
Mmm that doesn't sound right.
You only need to deal with glue records if the DNS servers themselves are in the same domain. Let's say your domain is example.com, and you want "vanity" nameservers like ns1.example.com and ns2.example.com. Then you need glue records. If you set the nameservers for example.com to something in a different domain (like he.net) then you do not need glue records.
All you need to do is set the nameservers at the registrar. If your registrar does not allow you to do a simple change of nameservers without a ticket then it is surprising they stay in business.
This sounds like it is massively over-complicating a fairly simple task.
Yes. The slaves only need to access the master to do an AXFR when the domain records change. A hidden master does not need 100% uptime.
Yes, I meant block port 53 from every source except the slaves.
I'm not sure about GUI. Depends if you use bind or something else. If you use PDNS then I know there are GUIs (like "PDNS manager").
Hi Tetech,
Thank you so much for your trouble!
Due to historic dents in my ego, another go at running a nameserver did not cover a top spot on my todo list.
Even so, it was on the list. Thanks to your patient explanation the project has elevated itself quite a few steps. I won't be asking practical implementation questions this week or so, probably also not early next year, but one day I'll try to lay claim on your time once more!
Is it possible to use HE's DNS service for web forwarding?
IOW, if your domain example.com is using HE's DNS servers, having www.example.com forward to www.yahoo.com
No
Dynamic signing is possible with DNSSEC. I use OpenDNSSEC myself, and I have configured it to query an internal Bind9 server which have one dynamic zone. But I think DNSSEC with split-horizon DNS is more complicated. That's one reason I don't use split-horizon DNS.
What do you lose if you do not use DNSSEC for your domain?